07-08-2013 10:45 AM - edited 02-21-2020 07:00 PM
Group,
Been struggling with an error between VPN appliances and could really use some expert input with this issue. This is the output from the router. I have been getting slaughtered over keeping these tunnels lit and they keep disconnecting. Tried redoing the configuration this morning and the tunnels have dropped after the expiration of the first key. Your thoughts are GREATLY appreciated. Seems weird to have a lifeduration of both 3600 and 4608000. On the SA540 it seems I can only set one or the other.
006023: Jul 8 13:23:03.623 EDT: IPSEC(key_engine): got a queue event with 1 KMI message(s)
006024: Jul 8 13:23:23.468 EDT: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 97.76.78.218:500, remote= 67.78.146.158:500,
local_proxy= 192.168.10.0/255.255.255.224/0/0 (type=4),
remote_proxy= 10.0.2.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-aes 256 esp-sha-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
006025: Jul 8 13:23:23.468 EDT: ISAKMP:(0): SA request profile is (NULL)
006026: Jul 8 13:23:23.468 EDT: ISAKMP: Created a peer struct for 67.78.146.158, peer port 500
006027: Jul 8 13:23:23.468 EDT: ISAKMP: New peer created peer = 0x2B674C90 peer_handle = 0x80000091
006028: Jul 8 13:23:23.468 EDT: ISAKMP: Locking peer struct 0x2B674C90, refcount 1 for isakmp_initiator
006029: Jul 8 13:23:23.468 EDT: ISAKMP: local port 500, remote port 500
006030: Jul 8 13:23:23.468 EDT: ISAKMP: set n
006031: Jul 8 13:23:23.468 EDT: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 315581E8
006032: Jul 8 13:23:23.468 EDT: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
006033: Jul 8 13:23:23.468 EDT: ISAKMP:(0):found peer pre-shared key matching 67.78.146.158
006034: Jul 8 13:23:23.468 EDT: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
006035: Jul 8 13:23:23.468 EDT: ISAKMP:(0): constructed NAT-T vendor-07 ID
006036: Jul 8 13:23:23.468 EDT: ISAKMP:(0): constructed NAT-T vendor-03 ID
006037: Jul 8 13:23:23.472 EDT: ISAKMP:(0): constructed NAT-T vendor-02 ID
006038: Jul 8 13:23:23.472 EDT: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
006039: Jul 8 13:23:23.472 EDT: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1
006040: Jul 8 13:23:23.472 EDT: ISAKMP:(0): beginning Main Mode exchange
006041: Jul 8 13:23:23.472 EDT: ISAKMP:(0): sending packet to 67.78.146.158 my_port 500 peer_port 500 (I) MM_NO_STATE
006042: Jul 8 13:23:23.472 EDT: ISAKMP:(0):Sending an IKE IPv4 Packet.
006043: Jul 8 13:23:33.472 EDT: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
006044: Jul 8 13:23:33.472 EDT: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
006045: Jul 8 13:23:33.472 EDT: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
006046: Jul 8 13:23:33.472 EDT: ISAKMP:(0): sending packet to 67.78.146.158 my_port 500 peer_port 500 (I) MM_NO_STATE
006047: Jul 8 13:23:33.472 EDT: ISAKMP:(0):Sending an IKE IPv4 Packet
006048: Jul 8 13:23:43.472 EDT: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
006049: Jul 8 13:23:43.472 EDT: ISAKMP (0): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
006050: Jul 8 13:23:43.472 EDT: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
006051: Jul 8 13:23:43.472 EDT: ISAKMP:(0): sending packet to 67.78.146.158 my_port 500 peer_port 500 (I) MM_NO_STATE
006052: Jul 8 13:23:43.472 EDT: ISAKMP:(0):Sending an IKE IPv4 Packet.
006053: Jul 8 13:23:53.468 EDT: IPSEC(key_engine): request timer fired: count = 1,
(identity) local= 97.76.78.218:0, remote= 67.78.146.158:0,
local_proxy= 192.168.10.0/255.255.255.224/0/0 (type=4),
remote_proxy= 10.0.2.0/255.255.255.0/0/0 (type=4)
006054: Jul 8 13:23:53.468 EDT: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 97.76.78.218:500, remote= 67.78.146.158:500,
local_proxy= 192.168.10.0/255.255.255.224/0/0 (type=4),
remote_proxy= 10.0.2.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-aes 256 esp-sha-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
006055: Jul 8 13:23:53.468 EDT: ISAKMP: set new node 0 to QM_IDLE
006056: Jul 8 13:23:53.468 EDT: ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (local 97.76.78.218, remote 67.78.146.158)
006057: Jul 8 13:23:53.468 EDT: ISAKMP: Error while processing SA request: Failed to initialize SA
006058: Jul 8 13:23:53.468 EDT: ISAKMP: Error while processing KMI message 0, error 2.
006059: Jul 8 13:23:53.472 EDT: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
006060: Jul 8 13:23:53.472 EDT: ISAKMP (0): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
006061: Jul 8 13:23:53.472 EDT: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
006062: Jul 8 13:23:53.472 EDT: ISAKMP:(0): sending packet to 67.78.146.158 my_port 500 peer_port 500 (I) MM_NO_STATE
006063: Jul 8 13:23:53.472 EDT: ISAKMP:(0):Sending an IKE IPv4 Packet.
006064: Jul 8 13:23:53.624 EDT: ISAKMP:(0):purging node -206295591
006065: Jul 8 13:23:53.624 EDT: ISAKMP:(0):purging node 625489527
006066: Jul 8 13:24:03.472 EDT: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
006067: Jul 8 13:24:03.472 EDT: ISAKMP (0): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
006068: Jul 8 13:24:03.472 EDT: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
006069: Jul 8 13:24:03.472 EDT: ISAKMP:(0): sending packet to 67.78.146.158 my_port 500 peer_port 500 (I) MM_NO_STATE
006070: Jul 8 13:24:03.472 EDT: ISAKMP:(0):Sending an IKE IPv4 Packet.
006071: Jul 8 13:24:03.624 EDT: ISAKMP:(0):purging SA., sa=2BBA9280, delme=2BBA9280
006072: Jul 8 13:24:13.472 EDT: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
006073: Jul 8 13:24:13.472 EDT: ISAKMP (0): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
006074: Jul 8 13:24:13.472 EDT: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
006075: Jul 8 13:24:13.472 EDT: ISAKMP:(0): sending packet to 67.78.146.158 my_port 500 peer_port 500 (I) MM_NO_STATE
006076: Jul 8 13:24:13.472 EDT: ISAKMP:(0):Sending an IKE IPv4 Packet.
006077: Jul 8 13:24:23.468 EDT: IPSEC(key_engine): request timer fired: count = 2,
(identity) local= 97.76.78.218:0, remote= 67.78.146.158:0,
local_proxy= 192.168.10.0/255.255.255.224/0/0 (type=4),
remote_proxy= 10.0.2.0/255.255.255.0/0/0 (type=4)
006078: Jul 8 13:24:23.472 EDT: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
006079: Jul 8 13:24:23.472 EDT: ISAKMP:(0):peer does not do paranoid keepalives.
006080: Jul 8 13:24:23.472 EDT: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer 67.78.146.158)
006081: Jul 8 13:24:23.472 EDT: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer 67.78.146.158)
006082: Jul 8 13:24:23.472 EDT: ISAKMP: Unlocking peer struct 0x2B674C90 for isadb_mark_sa_deleted(), count 0
006083: Jul 8 13:24:23.472 EDT: ISAKMP: Deleting peer node by peer_reap for 67.78.146.158: 2B674C90
006084: Jul 8 13:24:23.472 EDT: ISAKMP:(0):deleting node 766956796 error FALSE reason "IKE deleted"
006085: Jul 8 13:24:23.472 EDT: ISAKMP:(0):deleting node -1685128159 error FALSE reason "IKE deleted"
006086: Jul 8 13:24:23.472 EDT: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
006087: Jul 8 13:24:23.472 EDT: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_DEST_SA
07-09-2013 01:02 AM
Hi,
Looking at above output, it changes its state to MM1 but it's not changing to MM2. It means that it's not getting any IKE messages from the peer. I would check your configuration on the other end, make sure that it has the same config/attributes. The other thing that you would want to check is whether following ports are open or not: udp 500(for IKE phase 1), udp 4500(for NAT-T) and ip protocol 50(for ESP). The last thing to check is ACL.
Regarding the two lifetime values, the second value actually in kb not in second.
HTH,
07-10-2013 09:42 AM
Rudy,
Thanks for the follow up, appreciate the help. I took a look at the remote endpoint (an SA540) and it seems that all the settings as far as I can tell are the same on both devices. On the SA540 it just keeps showing timeout oh Phase 2 waiting for Phase 1 to respond.
IKE
Direction: Both
Exchange Mode: Main
Local Address: Local WAN IP
Remote: Remote WAN IP
IKE SA: AES256 / SHA1
Pre Shared Key: Y
Group 2
SA Lifetime 28800
XAuth: None
VPN Policy
Policy: Auto
Local Gateway: Dedicated WAN
Remote Endpoint: 97.76.78.218
Enable NetBIOS: Y
Local Traffic: 10.0.2.0 / 255.255.255.0
Remote: 192.168.10.0 / 255.255.255.224
Auto Policy Parameters:
SA Lifetime: 3600
Encryption: AES-256 / SHA1
PFS: Yes Group 2
I can confirm the the other end the 2911 does have UPD 500 / 4500/ ESP in an ACL but a remote port scan shows the ports closed. Perhaps a conflict in an ACL? The 2911 config posted below. Input is GREATLY appreciated!
Building configuration...
Current configuration : 38030 bytes
!
! Last configuration change at 11:35:36 EDT Wed Jul 10 2013 by cisco
version 15.1
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname pl-gw1-tpa
!
boot-start-marker
boot-end-marker
!
!
logging buffered 52000
enable secret 5 $1$PY04$lr7M7hXShNpHY2OFzi8Yj1
enable password 7 153F080F1126272B3D216C71415757
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authentication enable default enable
aaa authorization network ciscocp_vpn_group_ml_1 local
!
!
!
!
!
aaa session-id common
!
clock timezone EST -5 0
clock summer-time EDT recurring
!
no ipv6 cef
no ip source-route
ip cef
!
!
!
ip dhcp excluded-address 10.0.15.1 10.0.15.9
ip dhcp excluded-address 10.0.15.21 10.0.15.30
!
ip dhcp pool ccp-pool1
network 10.0.15.0 255.255.255.224
domain-name platautofinance.com
dns-server 208.67.220.220 208.67.222.222
default-router 10.0.15.1
!
!
no ip bootp server
ip domain name platautofinance.com
ip host pl-gw1-tpa.platautofinance.com 192.168.10.1
ip name-server 208.67.220.220
ip name-server 208.67.222.222
ip name-server 8.8.4.4
!
multilink bundle-name authenticated
!
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-3265635853
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3265635853
revocation-check none
rsakeypair TP-self-signed-3265635853
!
!
crypto pki certificate chain TP-self-signed-3265635853
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33323635 36333538 3533301E 170D3133 30363137 31363035
33385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 32363536
33353835 3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100920C 1E8282C0 73A070FD D38CE7FA 9BFB28A9 2DBB650A E2BDBE39 DE6973B6
E7D3B5B0 1CB17B0C BD1EDF5A 71110AF8 A284BD91 E53F8759 4983DBBD E30F21AA
FEA356E8 0ECA20AC FA3A7182 8124C4F5 338EA780 24B05B3E EFF044E4 2D32805F
10E34A2A 92D88F7F BEC18A26 C81F719B 4F40B442 3AA29410 362C2831 579DC2FF
784B0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 1482EF2E AA9A36F0 5E63266D 42493D85 2DC1474A 38301D06
03551D0E 04160414 82EF2EAA 9A36F05E 63266D42 493D852D C1474A38 300D0609
2A864886 F70D0101 05050003 81810000 03FA4A1B 645F0399 C5BA4EBD 2CE916F7
9CE5066E D95E0666 EB3AC88D FDEFEBBC 38207B55 B2803706 2DAA39F4 0635DAF9
860C3D5F 8CB68A8C D07F9669 260ECCCE 1C6A94B7 6CC6D15F 6B2E35C4 78AF2469
A138ECA9 72C6BC5E 8C6ADEFF 5896B228 32B19F52 7A938A05 A59B4421 13ADFAE9
413DC2DF FF0A9CB3 5B9D3E3E B383B5
quit
license udi pid CISCO2911/K9 sn FGL162410ZE
license boot module c2900 technology-package securityk9
!
!
object-group service Asterisk
description SIP Communication Settings
udp range 16384 16482
udp range 5060 5061
!
object-group service MSExchange
description Exchange Server Services
tcp eq pop3
tcp eq 143
tcp eq 443
tcp eq smtp
tcp eq www
!
object-group service OpenFire
description Openfire IM Services
tcp eq 7777
tcp range 5222 5223
!
object-group service ReadyDesk
description ReadyDesk Helpdesk Applications
tcp range 7575 7576
tcp eq 8081
!
username cisco privilege 15 password 7 0722224F5B05150A0200525F567A
username blakmoon91 privilege 15 password 7 132814111E0008253E3671606772
!
redundancy
!
!
!
!
!
!
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 2
lifetime 28800
crypto isakmp key xxxxxxxxx address 71.40.160.123
crypto isakmp key xxxxxxxxx address 98.101.151.234
crypto isakmp key xxxxxxxxx address 67.78.146.158 255.255.255.252 no-xauth
crypto isakmp invalid-spi-recovery
crypto isakmp nat keepalive 30
!
crypto isakmp client configuration group PlatinumVPN
key xxxxxxxxxxxxx
dns 192.168.10.3 10.0.2.2
domain platautofinance.com
pool SDM_POOL_1
acl 121
save-password
include-local-lan
split-dns clearwater.thrifty.com
split-dns platautofinance.com
pfs
max-users 25
netmask 255.255.255.224
banner ^CYou have reached a security checkpoint.
All connections are monitored. Follow company usage guidelines.
Please contact the MIS IT Department for more information at 727-249-0844. ^C
crypto isakmp profile ciscocp-ike-profile-1
match identity group PlatinumVPN
client authentication list ciscocp_vpn_xauth_ml_1
isakmp authorization list ciscocp_vpn_group_ml_1
client configuration address respond
virtual-template 1
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set PlatinumTransform esp-aes 256 esp-sha-hmac
!
crypto ipsec profile CiscoCP_Profile1
description Used by the VPN Pool.
set security-association lifetime seconds 10800
set transform-set ESP-3DES-SHA
set pfs group2
set isakmp-profile ciscocp-ike-profile-1
!
!
crypto map Platinum 1 ipsec-isakmp
description Platinum Crypto Set
set peer 67.78.146.158
set security-association lifetime seconds 3600
set transform-set PlatinumTransform
set pfs group2
match address 106
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
no ip redirects
ip flow ingress
shutdown
!
interface GigabitEthernet0/0
description INTERNET_UPLINK$ETH-WAN$$FW_OUTSIDE$
ip address 97.76.78.218 255.255.255.248
no ip redirects
ip flow ingress
ip nat outside
ip virtual-reassembly in
load-interval 30
duplex auto
speed auto
no cdp enable
no mop enabled
crypto map Platinum
!
interface GigabitEthernet0/1
description LAN$ETH_LAN$$ETH-LAN$$FW_INSIDE$
ip address 192.168.10.1 255.255.255.224
no ip redirects
ip nbar protocol-discovery
ip flow ingress
ip nat inside
ip virtual-reassembly in
ip verify unicast reverse-path
load-interval 30
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/2
description $ETH-LAN$$FW_INSIDE$
ip address 10.0.15.1 255.255.255.224
no ip redirects
ip flow ingress
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
no mop enabled
!
interface Virtual-Template1 type tunnel
ip unnumbered GigabitEthernet0/0
no ip redirects
ip flow ingress
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
!
ip local pool SDM_POOL_1 192.168.0.1 192.168.0.25
ip forward-protocol nd
!
ip http server
ip http authentication local
ip http secure-server
!
ip dns server
ip nat inside source route-map SDM_RMAP interface GigabitEthernet0/0 overload
ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet0/0 overload
ip nat inside source static tcp 192.168.10.13 21 97.76.78.218 21 route-map SDM_RMAP_10 extendable
ip nat inside source static tcp 192.168.10.3 25 97.76.78.218 25 route-map SDM_RMAP_6 extendable
ip nat inside source static udp 192.168.10.29 69 97.76.78.218 69 route-map SDM_RMAP_4 extendable
ip nat inside source static tcp 192.168.10.3 80 97.76.78.218 80 route-map SDM_RMAP_12 extendable
ip nat inside source static tcp 192.168.10.3 110 97.76.78.218 110 route-map SDM_RMAP_15 extendable
ip nat inside source static udp 192.168.10.28 161 97.76.78.218 161 route-map SDM_RMAP_8 extendable
ip nat inside source static tcp 192.168.10.3 443 97.76.78.218 443 route-map SDM_RMAP_9 extendable
ip nat inside source static udp 192.168.10.29 514 97.76.78.218 514 route-map SDM_RMAP_5 extendable
ip nat inside source static tcp 192.168.10.6 3389 97.76.78.218 3389 route-map SDM_RMAP_3 extendable
ip nat inside source static udp 192.168.10.12 5060 97.76.78.218 5060 route-map SDM_RMAP_11 extendable
ip nat inside source static tcp 192.168.10.3 5222 97.76.78.218 5222 route-map SDM_RMAP_14 extendable
ip nat inside source static tcp 192.168.10.3 5223 97.76.78.218 5223 route-map SDM_RMAP_13 extendable
ip nat inside source static tcp 192.168.10.3 7777 97.76.78.218 7777 extendable
ip nat inside source static tcp 192.168.10.28 8081 97.76.78.218 8081 route-map SDM_RMAP_7 extendable
ip route 0.0.0.0 0.0.0.0 97.76.78.217 name DEFAULT_ROUTE
!
ip access-list extended NAT_ACL
remark Master NAT_ACL
permit ip any any
!
access-list 100 remark CCP_ACL Category=18
access-list 100 remark IPSec Rule
access-list 100 deny ip 192.168.10.0 0.0.0.31 10.0.2.0 0.0.0.255
access-list 100 deny tcp host 192.168.10.13 eq ftp any
access-list 100 deny tcp host 192.168.10.2 eq smtp any
access-list 100 deny udp host 192.168.10.29 eq tftp any
access-list 100 deny tcp host 192.168.10.2 eq www any
access-list 100 deny tcp host 192.168.10.2 eq pop3 any
access-list 100 deny udp host 192.168.10.28 eq snmp any
access-list 100 deny tcp host 192.168.10.2 eq 443 any
access-list 100 deny udp host 192.168.10.29 eq syslog any
access-list 100 deny tcp host 192.168.10.29 eq 3389 any
access-list 100 deny udp host 192.168.10.12 eq 5060 any
access-list 100 deny tcp host 192.168.10.28 eq 5222 any
access-list 100 deny tcp host 192.168.10.28 eq 5223 any
access-list 100 deny tcp host 192.168.10.28 eq 8081 any
access-list 100 deny ip 192.168.10.0 0.0.0.31 host 192.168.0.1
access-list 100 deny ip 192.168.10.0 0.0.0.31 host 192.168.0.2
access-list 100 deny ip 192.168.10.0 0.0.0.31 host 192.168.0.3
access-list 100 deny ip 192.168.10.0 0.0.0.31 host 192.168.0.4
access-list 100 deny ip 192.168.10.0 0.0.0.31 host 192.168.0.5
access-list 100 deny ip 192.168.10.0 0.0.0.31 host 192.168.0.6
access-list 100 deny ip 192.168.10.0 0.0.0.31 host 192.168.0.7
access-list 100 deny ip 192.168.10.0 0.0.0.31 host 192.168.0.8
access-list 100 deny ip 192.168.10.0 0.0.0.31 host 192.168.0.9
access-list 100 deny ip 192.168.10.0 0.0.0.31 host 192.168.0.10
access-list 100 deny ip 192.168.10.0 0.0.0.31 host 192.168.0.11
access-list 100 deny ip 192.168.10.0 0.0.0.31 host 192.168.0.12
access-list 100 deny ip 192.168.10.0 0.0.0.31 host 192.168.0.13
access-list 100 deny ip 192.168.10.0 0.0.0.31 host 192.168.0.14
access-list 100 deny ip 192.168.10.0 0.0.0.31 host 192.168.0.15
access-list 100 deny ip 192.168.10.0 0.0.0.31 host 192.168.0.16
access-list 100 deny ip 192.168.10.0 0.0.0.31 host 192.168.0.17
access-list 100 deny ip 192.168.10.0 0.0.0.31 host 192.168.0.18
access-list 100 deny ip 192.168.10.0 0.0.0.31 host 192.168.0.19
access-list 100 deny ip 192.168.10.0 0.0.0.31 host 192.168.0.20
access-list 100 deny ip 192.168.10.0 0.0.0.31 host 192.168.0.21
access-list 100 deny ip 192.168.10.0 0.0.0.31 host 192.168.0.22
access-list 100 deny ip 192.168.10.0 0.0.0.31 host 192.168.0.23
access-list 100 deny ip 192.168.10.0 0.0.0.31 host 192.168.0.24
access-list 100 deny ip 192.168.10.0 0.0.0.31 host 192.168.0.25
access-list 100 permit ip 192.168.10.0 0.0.0.31 any
access-list 101 remark CCP_ACL Category=16
access-list 101 permit udp any host 97.76.78.218 eq tftp
access-list 101 permit tcp any host 97.76.78.218 eq ftp
access-list 101 permit tcp any host 97.76.78.218 eq 22
access-list 101 permit udp any host 97.76.78.218 eq snmp
access-list 101 permit udp any host 97.76.78.218 eq syslog
access-list 101 permit object-group OpenFire any host 97.76.78.218
access-list 101 permit object-group Asterisk any host 97.76.78.218
access-list 101 permit object-group MSExchange any host 97.76.78.218
access-list 101 permit object-group ReadyDesk any host 97.76.78.218
access-list 101 permit tcp any host 97.76.78.218 eq 3389
access-list 101 permit udp any host 97.76.78.218 eq isakmp
access-list 101 permit udp any host 97.76.78.218 eq non500-isakmp
access-list 101 permit esp any host 97.76.78.218
access-list 102 remark CCP_ACL Category=2
access-list 102 remark IPSec Rule
access-list 102 deny ip 192.168.10.0 0.0.0.31 10.0.2.0 0.0.0.255
access-list 102 deny tcp host 192.168.10.13 eq ftp any
access-list 102 deny tcp host 192.168.10.2 eq smtp any
access-list 102 deny udp host 192.168.10.29 eq tftp any
access-list 102 deny tcp host 192.168.10.2 eq www any
access-list 102 deny tcp host 192.168.10.2 eq pop3 any
access-list 102 deny udp host 192.168.10.28 eq snmp any
access-list 102 deny tcp host 192.168.10.2 eq 443 any
access-list 102 deny udp host 192.168.10.29 eq syslog any
access-list 102 deny tcp host 192.168.10.29 eq 3389 any
access-list 102 deny udp host 192.168.10.12 eq 5060 any
access-list 102 deny tcp host 192.168.10.28 eq 5222 any
access-list 102 deny tcp host 192.168.10.28 eq 5223 any
access-list 102 deny tcp host 192.168.10.28 eq 8081 any
access-list 102 deny ip 192.168.10.0 0.0.0.31 host 192.168.0.1
access-list 102 deny ip 192.168.10.0 0.0.0.31 host 192.168.0.2
access-list 102 deny ip 192.168.10.0 0.0.0.31 host 192.168.0.3
access-list 102 deny ip 192.168.10.0 0.0.0.31 host 192.168.0.4
access-list 102 deny ip 192.168.10.0 0.0.0.31 host 192.168.0.5
access-list 102 deny ip 192.168.10.0 0.0.0.31 host 192.168.0.6
access-list 102 deny ip 192.168.10.0 0.0.0.31 host 192.168.0.7
access-list 102 deny ip 192.168.10.0 0.0.0.31 host 192.168.0.8
access-list 102 deny ip 192.168.10.0 0.0.0.31 host 192.168.0.9
access-list 102 deny ip 192.168.10.0 0.0.0.31 host 192.168.0.10
access-list 102 deny ip 192.168.10.0 0.0.0.31 host 192.168.0.11
access-list 102 deny ip 192.168.10.0 0.0.0.31 host 192.168.0.12
access-list 102 deny ip 192.168.10.0 0.0.0.31 host 192.168.0.13
access-list 102 deny ip 192.168.10.0 0.0.0.31 host 192.168.0.14
access-list 102 deny ip 192.168.10.0 0.0.0.31 host 192.168.0.15
access-list 102 deny ip 192.168.10.0 0.0.0.31 host 192.168.0.16
access-list 102 deny ip 192.168.10.0 0.0.0.31 host 192.168.0.17
access-list 102 deny ip 192.168.10.0 0.0.0.31 host 192.168.0.18
access-list 102 deny ip 192.168.10.0 0.0.0.31 host 192.168.0.19
access-list 102 deny ip 192.168.10.0 0.0.0.31 host 192.168.0.20
access-list 102 deny ip 192.168.10.0 0.0.0.31 host 192.168.0.21
access-list 102 deny ip 192.168.10.0 0.0.0.31 host 192.168.0.22
access-list 102 deny ip 192.168.10.0 0.0.0.31 host 192.168.0.23
access-list 102 deny ip 192.168.10.0 0.0.0.31 host 192.168.0.24
access-list 102 deny ip 192.168.10.0 0.0.0.31 host 192.168.0.25
access-list 102 permit ip 192.168.10.0 0.0.0.31 any
access-list 106 remark CCP_ACL Category=4
access-list 106 remark IPSec Rule
access-list 106 permit ip 192.168.10.0 0.0.0.31 10.0.2.0 0.0.0.255
access-list 108 remark CCP_ACL Category=2
access-list 108 deny ip host 192.168.10.29 host 192.168.0.25
access-list 108 deny ip host 192.168.10.29 host 192.168.0.24
access-list 108 deny ip host 192.168.10.29 host 192.168.0.23
access-list 108 deny ip host 192.168.10.29 host 192.168.0.22
access-list 108 deny ip host 192.168.10.29 host 192.168.0.21
access-list 108 deny ip host 192.168.10.29 host 192.168.0.20
access-list 108 deny ip host 192.168.10.29 host 192.168.0.19
access-list 108 deny ip host 192.168.10.29 host 192.168.0.18
access-list 108 deny ip host 192.168.10.29 host 192.168.0.17
access-list 108 deny ip host 192.168.10.29 host 192.168.0.16
access-list 108 deny ip host 192.168.10.29 host 192.168.0.15
access-list 108 deny ip host 192.168.10.29 host 192.168.0.14
access-list 108 deny ip host 192.168.10.29 host 192.168.0.13
access-list 108 deny ip host 192.168.10.29 host 192.168.0.12
access-list 108 deny ip host 192.168.10.29 host 192.168.0.11
access-list 108 deny ip host 192.168.10.29 host 192.168.0.10
access-list 108 deny ip host 192.168.10.29 host 192.168.0.9
access-list 108 deny ip host 192.168.10.29 host 192.168.0.8
access-list 108 deny ip host 192.168.10.29 host 192.168.0.7
access-list 108 deny ip host 192.168.10.29 host 192.168.0.6
access-list 108 deny ip host 192.168.10.29 host 192.168.0.5
access-list 108 deny ip host 192.168.10.29 host 192.168.0.4
access-list 108 deny ip host 192.168.10.29 host 192.168.0.3
access-list 108 deny ip host 192.168.10.29 host 192.168.0.2
access-list 108 deny ip host 192.168.10.29 host 192.168.0.1
access-list 108 permit tcp host 192.168.10.29 eq 3389 any
access-list 109 remark CCP_ACL Category=2
access-list 109 deny ip host 192.168.10.29 host 192.168.0.25
access-list 109 deny ip host 192.168.10.29 host 192.168.0.24
access-list 109 deny ip host 192.168.10.29 host 192.168.0.23
access-list 109 deny ip host 192.168.10.29 host 192.168.0.22
access-list 109 deny ip host 192.168.10.29 host 192.168.0.21
access-list 109 deny ip host 192.168.10.29 host 192.168.0.20
access-list 109 deny ip host 192.168.10.29 host 192.168.0.19
access-list 109 deny ip host 192.168.10.29 host 192.168.0.18
access-list 109 deny ip host 192.168.10.29 host 192.168.0.17
access-list 109 deny ip host 192.168.10.29 host 192.168.0.16
access-list 109 deny ip host 192.168.10.29 host 192.168.0.15
access-list 109 deny ip host 192.168.10.29 host 192.168.0.14
access-list 109 deny ip host 192.168.10.29 host 192.168.0.13
access-list 109 deny ip host 192.168.10.29 host 192.168.0.12
access-list 109 deny ip host 192.168.10.29 host 192.168.0.11
access-list 109 deny ip host 192.168.10.29 host 192.168.0.10
access-list 109 deny ip host 192.168.10.29 host 192.168.0.9
access-list 109 deny ip host 192.168.10.29 host 192.168.0.8
access-list 109 deny ip host 192.168.10.29 host 192.168.0.7
access-list 109 deny ip host 192.168.10.29 host 192.168.0.6
access-list 109 deny ip host 192.168.10.29 host 192.168.0.5
access-list 109 deny ip host 192.168.10.29 host 192.168.0.4
access-list 109 deny ip host 192.168.10.29 host 192.168.0.3
access-list 109 deny ip host 192.168.10.29 host 192.168.0.2
access-list 109 deny ip host 192.168.10.29 host 192.168.0.1
access-list 109 permit udp host 192.168.10.29 eq tftp any
access-list 110 remark CCP_ACL Category=2
access-list 110 deny ip host 192.168.10.29 host 192.168.0.25
access-list 110 deny ip host 192.168.10.29 host 192.168.0.24
access-list 110 deny ip host 192.168.10.29 host 192.168.0.23
access-list 110 deny ip host 192.168.10.29 host 192.168.0.22
access-list 110 deny ip host 192.168.10.29 host 192.168.0.21
access-list 110 deny ip host 192.168.10.29 host 192.168.0.20
access-list 110 deny ip host 192.168.10.29 host 192.168.0.19
access-list 110 deny ip host 192.168.10.29 host 192.168.0.18
access-list 110 deny ip host 192.168.10.29 host 192.168.0.17
access-list 110 deny ip host 192.168.10.29 host 192.168.0.16
access-list 110 deny ip host 192.168.10.29 host 192.168.0.15
access-list 110 deny ip host 192.168.10.29 host 192.168.0.14
access-list 110 deny ip host 192.168.10.29 host 192.168.0.13
access-list 110 deny ip host 192.168.10.29 host 192.168.0.12
access-list 110 deny ip host 192.168.10.29 host 192.168.0.11
access-list 110 deny ip host 192.168.10.29 host 192.168.0.10
access-list 110 deny ip host 192.168.10.29 host 192.168.0.9
access-list 110 deny ip host 192.168.10.29 host 192.168.0.8
access-list 110 deny ip host 192.168.10.29 host 192.168.0.7
access-list 110 deny ip host 192.168.10.29 host 192.168.0.6
access-list 110 deny ip host 192.168.10.29 host 192.168.0.5
access-list 110 deny ip host 192.168.10.29 host 192.168.0.4
access-list 110 deny ip host 192.168.10.29 host 192.168.0.3
access-list 110 deny ip host 192.168.10.29 host 192.168.0.2
access-list 110 deny ip host 192.168.10.29 host 192.168.0.1
access-list 110 permit udp host 192.168.10.29 eq syslog any
access-list 111 remark CCP_ACL Category=2
access-list 111 deny ip host 192.168.10.2 host 192.168.0.25
access-list 111 deny ip host 192.168.10.2 host 192.168.0.24
access-list 111 deny ip host 192.168.10.2 host 192.168.0.23
access-list 111 deny ip host 192.168.10.2 host 192.168.0.22
access-list 111 deny ip host 192.168.10.2 host 192.168.0.21
access-list 111 deny ip host 192.168.10.2 host 192.168.0.20
access-list 111 deny ip host 192.168.10.2 host 192.168.0.19
access-list 111 deny ip host 192.168.10.2 host 192.168.0.18
access-list 111 deny ip host 192.168.10.2 host 192.168.0.17
access-list 111 deny ip host 192.168.10.2 host 192.168.0.16
access-list 111 deny ip host 192.168.10.2 host 192.168.0.15
access-list 111 deny ip host 192.168.10.2 host 192.168.0.14
access-list 111 deny ip host 192.168.10.2 host 192.168.0.13
access-list 111 deny ip host 192.168.10.2 host 192.168.0.12
access-list 111 deny ip host 192.168.10.2 host 192.168.0.11
access-list 111 deny ip host 192.168.10.2 host 192.168.0.10
access-list 111 deny ip host 192.168.10.2 host 192.168.0.9
access-list 111 deny ip host 192.168.10.2 host 192.168.0.8
access-list 111 deny ip host 192.168.10.2 host 192.168.0.7
access-list 111 deny ip host 192.168.10.2 host 192.168.0.6
access-list 111 deny ip host 192.168.10.2 host 192.168.0.5
access-list 111 deny ip host 192.168.10.2 host 192.168.0.4
access-list 111 deny ip host 192.168.10.2 host 192.168.0.3
access-list 111 deny ip host 192.168.10.2 host 192.168.0.2
access-list 111 deny ip host 192.168.10.2 host 192.168.0.1
access-list 111 permit tcp host 192.168.10.2 eq smtp any
access-list 112 remark CCP_ACL Category=2
access-list 112 deny ip host 192.168.10.28 host 192.168.0.25
access-list 112 deny ip host 192.168.10.28 host 192.168.0.24
access-list 112 deny ip host 192.168.10.28 host 192.168.0.23
access-list 112 deny ip host 192.168.10.28 host 192.168.0.22
access-list 112 deny ip host 192.168.10.28 host 192.168.0.21
access-list 112 deny ip host 192.168.10.28 host 192.168.0.20
access-list 112 deny ip host 192.168.10.28 host 192.168.0.19
access-list 112 deny ip host 192.168.10.28 host 192.168.0.18
access-list 112 deny ip host 192.168.10.28 host 192.168.0.17
access-list 112 deny ip host 192.168.10.28 host 192.168.0.16
access-list 112 deny ip host 192.168.10.28 host 192.168.0.15
access-list 112 deny ip host 192.168.10.28 host 192.168.0.14
access-list 112 deny ip host 192.168.10.28 host 192.168.0.13
access-list 112 deny ip host 192.168.10.28 host 192.168.0.12
access-list 112 deny ip host 192.168.10.28 host 192.168.0.11
access-list 112 deny ip host 192.168.10.28 host 192.168.0.10
access-list 112 deny ip host 192.168.10.28 host 192.168.0.9
access-list 112 deny ip host 192.168.10.28 host 192.168.0.8
access-list 112 deny ip host 192.168.10.28 host 192.168.0.7
access-list 112 deny ip host 192.168.10.28 host 192.168.0.6
access-list 112 deny ip host 192.168.10.28 host 192.168.0.5
access-list 112 deny ip host 192.168.10.28 host 192.168.0.4
access-list 112 deny ip host 192.168.10.28 host 192.168.0.3
access-list 112 deny ip host 192.168.10.28 host 192.168.0.2
access-list 112 deny ip host 192.168.10.28 host 192.168.0.1
access-list 112 permit tcp host 192.168.10.28 eq 8081 any
access-list 113 remark CCP_ACL Category=2
access-list 113 deny ip host 192.168.10.28 host 192.168.0.25
access-list 113 deny ip host 192.168.10.28 host 192.168.0.24
access-list 113 deny ip host 192.168.10.28 host 192.168.0.23
access-list 113 deny ip host 192.168.10.28 host 192.168.0.22
access-list 113 deny ip host 192.168.10.28 host 192.168.0.21
access-list 113 deny ip host 192.168.10.28 host 192.168.0.20
access-list 113 deny ip host 192.168.10.28 host 192.168.0.19
access-list 113 deny ip host 192.168.10.28 host 192.168.0.18
access-list 113 deny ip host 192.168.10.28 host 192.168.0.17
access-list 113 deny ip host 192.168.10.28 host 192.168.0.16
access-list 113 deny ip host 192.168.10.28 host 192.168.0.15
access-list 113 deny ip host 192.168.10.28 host 192.168.0.14
access-list 113 deny ip host 192.168.10.28 host 192.168.0.13
access-list 113 deny ip host 192.168.10.28 host 192.168.0.12
access-list 113 deny ip host 192.168.10.28 host 192.168.0.11
access-list 113 deny ip host 192.168.10.28 host 192.168.0.10
access-list 113 deny ip host 192.168.10.28 host 192.168.0.9
access-list 113 deny ip host 192.168.10.28 host 192.168.0.8
access-list 113 deny ip host 192.168.10.28 host 192.168.0.7
access-list 113 deny ip host 192.168.10.28 host 192.168.0.6
access-list 113 deny ip host 192.168.10.28 host 192.168.0.5
access-list 113 deny ip host 192.168.10.28 host 192.168.0.4
access-list 113 deny ip host 192.168.10.28 host 192.168.0.3
access-list 113 deny ip host 192.168.10.28 host 192.168.0.2
access-list 113 deny ip host 192.168.10.28 host 192.168.0.1
access-list 113 permit udp host 192.168.10.28 eq snmp any
access-list 114 remark CCP_ACL Category=2
access-list 114 deny ip host 192.168.10.2 host 192.168.0.25
access-list 114 deny ip host 192.168.10.2 host 192.168.0.24
access-list 114 deny ip host 192.168.10.2 host 192.168.0.23
access-list 114 deny ip host 192.168.10.2 host 192.168.0.22
access-list 114 deny ip host 192.168.10.2 host 192.168.0.21
access-list 114 deny ip host 192.168.10.2 host 192.168.0.20
access-list 114 deny ip host 192.168.10.2 host 192.168.0.19
access-list 114 deny ip host 192.168.10.2 host 192.168.0.18
access-list 114 deny ip host 192.168.10.2 host 192.168.0.17
access-list 114 deny ip host 192.168.10.2 host 192.168.0.16
access-list 114 deny ip host 192.168.10.2 host 192.168.0.15
access-list 114 deny ip host 192.168.10.2 host 192.168.0.14
access-list 114 deny ip host 192.168.10.2 host 192.168.0.13
access-list 114 deny ip host 192.168.10.2 host 192.168.0.12
access-list 114 deny ip host 192.168.10.2 host 192.168.0.11
access-list 114 deny ip host 192.168.10.2 host 192.168.0.10
access-list 114 deny ip host 192.168.10.2 host 192.168.0.9
access-list 114 deny ip host 192.168.10.2 host 192.168.0.8
access-list 114 deny ip host 192.168.10.2 host 192.168.0.7
access-list 114 deny ip host 192.168.10.2 host 192.168.0.6
access-list 114 deny ip host 192.168.10.2 host 192.168.0.5
access-list 114 deny ip host 192.168.10.2 host 192.168.0.4
access-list 114 deny ip host 192.168.10.2 host 192.168.0.3
access-list 114 deny ip host 192.168.10.2 host 192.168.0.2
access-list 114 deny ip host 192.168.10.2 host 192.168.0.1
access-list 114 permit tcp host 192.168.10.2 eq 443 any
access-list 115 remark CCP_ACL Category=2
access-list 115 deny ip host 192.168.10.13 host 192.168.0.25
access-list 115 deny ip host 192.168.10.13 host 192.168.0.24
access-list 115 deny ip host 192.168.10.13 host 192.168.0.23
access-list 115 deny ip host 192.168.10.13 host 192.168.0.22
access-list 115 deny ip host 192.168.10.13 host 192.168.0.21
access-list 115 deny ip host 192.168.10.13 host 192.168.0.20
access-list 115 deny ip host 192.168.10.13 host 192.168.0.19
access-list 115 deny ip host 192.168.10.13 host 192.168.0.18
access-list 115 deny ip host 192.168.10.13 host 192.168.0.17
access-list 115 deny ip host 192.168.10.13 host 192.168.0.16
access-list 115 deny ip host 192.168.10.13 host 192.168.0.15
access-list 115 deny ip host 192.168.10.13 host 192.168.0.14
access-list 115 deny ip host 192.168.10.13 host 192.168.0.13
access-list 115 deny ip host 192.168.10.13 host 192.168.0.12
access-list 115 deny ip host 192.168.10.13 host 192.168.0.11
access-list 115 deny ip host 192.168.10.13 host 192.168.0.10
access-list 115 deny ip host 192.168.10.13 host 192.168.0.9
access-list 115 deny ip host 192.168.10.13 host 192.168.0.8
access-list 115 deny ip host 192.168.10.13 host 192.168.0.7
access-list 115 deny ip host 192.168.10.13 host 192.168.0.6
access-list 115 deny ip host 192.168.10.13 host 192.168.0.5
access-list 115 deny ip host 192.168.10.13 host 192.168.0.4
access-list 115 deny ip host 192.168.10.13 host 192.168.0.3
access-list 115 deny ip host 192.168.10.13 host 192.168.0.2
access-list 115 deny ip host 192.168.10.13 host 192.168.0.1
access-list 115 permit tcp host 192.168.10.13 eq ftp any
access-list 116 remark CCP_ACL Category=2
access-list 116 deny ip host 192.168.10.12 host 192.168.0.25
access-list 116 deny ip host 192.168.10.12 host 192.168.0.24
access-list 116 deny ip host 192.168.10.12 host 192.168.0.23
access-list 116 deny ip host 192.168.10.12 host 192.168.0.22
access-list 116 deny ip host 192.168.10.12 host 192.168.0.21
access-list 116 deny ip host 192.168.10.12 host 192.168.0.20
access-list 116 deny ip host 192.168.10.12 host 192.168.0.19
access-list 116 deny ip host 192.168.10.12 host 192.168.0.18
access-list 116 deny ip host 192.168.10.12 host 192.168.0.17
access-list 116 deny ip host 192.168.10.12 host 192.168.0.16
access-list 116 deny ip host 192.168.10.12 host 192.168.0.15
access-list 116 deny ip host 192.168.10.12 host 192.168.0.14
access-list 116 deny ip host 192.168.10.12 host 192.168.0.13
access-list 116 deny ip host 192.168.10.12 host 192.168.0.12
access-list 116 deny ip host 192.168.10.12 host 192.168.0.11
access-list 116 deny ip host 192.168.10.12 host 192.168.0.10
access-list 116 deny ip host 192.168.10.12 host 192.168.0.9
access-list 116 deny ip host 192.168.10.12 host 192.168.0.8
access-list 116 deny ip host 192.168.10.12 host 192.168.0.7
access-list 116 deny ip host 192.168.10.12 host 192.168.0.6
access-list 116 deny ip host 192.168.10.12 host 192.168.0.5
access-list 116 deny ip host 192.168.10.12 host 192.168.0.4
access-list 116 deny ip host 192.168.10.12 host 192.168.0.3
access-list 116 deny ip host 192.168.10.12 host 192.168.0.2
access-list 116 deny ip host 192.168.10.12 host 192.168.0.1
access-list 116 permit udp host 192.168.10.12 eq 5060 any
access-list 117 remark CCP_ACL Category=2
access-list 117 deny ip host 192.168.10.2 host 192.168.0.25
access-list 117 deny ip host 192.168.10.2 host 192.168.0.24
access-list 117 deny ip host 192.168.10.2 host 192.168.0.23
access-list 117 deny ip host 192.168.10.2 host 192.168.0.22
access-list 117 deny ip host 192.168.10.2 host 192.168.0.21
access-list 117 deny ip host 192.168.10.2 host 192.168.0.20
access-list 117 deny ip host 192.168.10.2 host 192.168.0.19
access-list 117 deny ip host 192.168.10.2 host 192.168.0.18
access-list 117 deny ip host 192.168.10.2 host 192.168.0.17
access-list 117 deny ip host 192.168.10.2 host 192.168.0.16
access-list 117 deny ip host 192.168.10.2 host 192.168.0.15
access-list 117 deny ip host 192.168.10.2 host 192.168.0.14
access-list 117 deny ip host 192.168.10.2 host 192.168.0.13
access-list 117 deny ip host 192.168.10.2 host 192.168.0.12
access-list 117 deny ip host 192.168.10.2 host 192.168.0.11
access-list 117 deny ip host 192.168.10.2 host 192.168.0.10
access-list 117 deny ip host 192.168.10.2 host 192.168.0.9
access-list 117 deny ip host 192.168.10.2 host 192.168.0.8
access-list 117 deny ip host 192.168.10.2 host 192.168.0.7
access-list 117 deny ip host 192.168.10.2 host 192.168.0.6
access-list 117 deny ip host 192.168.10.2 host 192.168.0.5
access-list 117 deny ip host 192.168.10.2 host 192.168.0.4
access-list 117 deny ip host 192.168.10.2 host 192.168.0.3
access-list 117 deny ip host 192.168.10.2 host 192.168.0.2
access-list 117 deny ip host 192.168.10.2 host 192.168.0.1
access-list 117 permit tcp host 192.168.10.2 eq www any
access-list 118 remark CCP_ACL Category=2
access-list 118 deny ip host 192.168.10.28 host 192.168.0.25
access-list 118 deny ip host 192.168.10.28 host 192.168.0.24
access-list 118 deny ip host 192.168.10.28 host 192.168.0.23
access-list 118 deny ip host 192.168.10.28 host 192.168.0.22
access-list 118 deny ip host 192.168.10.28 host 192.168.0.21
access-list 118 deny ip host 192.168.10.28 host 192.168.0.20
access-list 118 deny ip host 192.168.10.28 host 192.168.0.19
access-list 118 deny ip host 192.168.10.28 host 192.168.0.18
access-list 118 deny ip host 192.168.10.28 host 192.168.0.17
access-list 118 deny ip host 192.168.10.28 host 192.168.0.16
access-list 118 deny ip host 192.168.10.28 host 192.168.0.15
access-list 118 deny ip host 192.168.10.28 host 192.168.0.14
access-list 118 deny ip host 192.168.10.28 host 192.168.0.13
access-list 118 deny ip host 192.168.10.28 host 192.168.0.12
access-list 118 deny ip host 192.168.10.28 host 192.168.0.11
access-list 118 deny ip host 192.168.10.28 host 192.168.0.10
access-list 118 deny ip host 192.168.10.28 host 192.168.0.9
access-list 118 deny ip host 192.168.10.28 host 192.168.0.8
access-list 118 deny ip host 192.168.10.28 host 192.168.0.7
access-list 118 deny ip host 192.168.10.28 host 192.168.0.6
access-list 118 deny ip host 192.168.10.28 host 192.168.0.5
access-list 118 deny ip host 192.168.10.28 host 192.168.0.4
access-list 118 deny ip host 192.168.10.28 host 192.168.0.3
access-list 118 deny ip host 192.168.10.28 host 192.168.0.2
access-list 118 deny ip host 192.168.10.28 host 192.168.0.1
access-list 118 permit tcp host 192.168.10.28 eq 5223 any
access-list 119 remark CCP_ACL Category=2
access-list 119 deny ip host 192.168.10.28 host 192.168.0.25
access-list 119 deny ip host 192.168.10.28 host 192.168.0.24
access-list 119 deny ip host 192.168.10.28 host 192.168.0.23
access-list 119 deny ip host 192.168.10.28 host 192.168.0.22
access-list 119 deny ip host 192.168.10.28 host 192.168.0.21
access-list 119 deny ip host 192.168.10.28 host 192.168.0.20
access-list 119 deny ip host 192.168.10.28 host 192.168.0.19
access-list 119 deny ip host 192.168.10.28 host 192.168.0.18
access-list 119 deny ip host 192.168.10.28 host 192.168.0.17
access-list 119 deny ip host 192.168.10.28 host 192.168.0.16
access-list 119 deny ip host 192.168.10.28 host 192.168.0.15
access-list 119 deny ip host 192.168.10.28 host 192.168.0.14
access-list 119 deny ip host 192.168.10.28 host 192.168.0.13
access-list 119 deny ip host 192.168.10.28 host 192.168.0.12
access-list 119 deny ip host 192.168.10.28 host 192.168.0.11
access-list 119 deny ip host 192.168.10.28 host 192.168.0.10
access-list 119 deny ip host 192.168.10.28 host 192.168.0.9
access-list 119 deny ip host 192.168.10.28 host 192.168.0.8
access-list 119 deny ip host 192.168.10.28 host 192.168.0.7
access-list 119 deny ip host 192.168.10.28 host 192.168.0.6
access-list 119 deny ip host 192.168.10.28 host 192.168.0.5
access-list 119 deny ip host 192.168.10.28 host 192.168.0.4
access-list 119 deny ip host 192.168.10.28 host 192.168.0.3
access-list 119 deny ip host 192.168.10.28 host 192.168.0.2
access-list 119 deny ip host 192.168.10.28 host 192.168.0.1
access-list 119 permit tcp host 192.168.10.28 eq 5222 any
access-list 120 remark CCP_ACL Category=2
access-list 120 deny ip host 192.168.10.2 host 192.168.0.25
access-list 120 deny ip host 192.168.10.2 host 192.168.0.24
access-list 120 deny ip host 192.168.10.2 host 192.168.0.23
access-list 120 deny ip host 192.168.10.2 host 192.168.0.22
access-list 120 deny ip host 192.168.10.2 host 192.168.0.21
access-list 120 deny ip host 192.168.10.2 host 192.168.0.20
access-list 120 deny ip host 192.168.10.2 host 192.168.0.19
access-list 120 deny ip host 192.168.10.2 host 192.168.0.18
access-list 120 deny ip host 192.168.10.2 host 192.168.0.17
access-list 120 deny ip host 192.168.10.2 host 192.168.0.16
access-list 120 deny ip host 192.168.10.2 host 192.168.0.15
access-list 120 deny ip host 192.168.10.2 host 192.168.0.14
access-list 120 deny ip host 192.168.10.2 host 192.168.0.13
access-list 120 deny ip host 192.168.10.2 host 192.168.0.12
access-list 120 deny ip host 192.168.10.2 host 192.168.0.11
access-list 120 deny ip host 192.168.10.2 host 192.168.0.10
access-list 120 deny ip host 192.168.10.2 host 192.168.0.9
access-list 120 deny ip host 192.168.10.2 host 192.168.0.8
access-list 120 deny ip host 192.168.10.2 host 192.168.0.7
access-list 120 deny ip host 192.168.10.2 host 192.168.0.6
access-list 120 deny ip host 192.168.10.2 host 192.168.0.5
access-list 120 deny ip host 192.168.10.2 host 192.168.0.4
access-list 120 deny ip host 192.168.10.2 host 192.168.0.3
access-list 120 deny ip host 192.168.10.2 host 192.168.0.2
access-list 120 deny ip host 192.168.10.2 host 192.168.0.1
access-list 120 permit tcp host 192.168.10.2 eq pop3 any
access-list 121 remark CCP_ACL Category=4
access-list 121 permit ip 192.168.10.0 0.0.0.31 any
!
no cdp run
!
!
!
route-map SDM_RMAP permit 1
match ip address 100
!
route-map SDM_RMAP_15 permit 1
match ip address 120
!
route-map SDM_RMAP_14 permit 1
match ip address 119
!
route-map SDM_RMAP_11 permit 1
match ip address 116
!
route-map SDM_RMAP_10 permit 1
match ip address 115
!
route-map SDM_RMAP_13 permit 1
match ip address 118
!
route-map SDM_RMAP_12 permit 1
match ip address 117
!
route-map SDM_RMAP_4 permit 1
match ip address 109
!
route-map SDM_RMAP_5 permit 1
match ip address 110
!
route-map SDM_RMAP_6 permit 1
match ip address 111
!
route-map SDM_RMAP_7 permit 1
match ip address 112
!
route-map SDM_RMAP_1 permit 1
match ip address 102
!
route-map SDM_RMAP_3 permit 1
match ip address 108
!
route-map SDM_RMAP_8 permit 1
match ip address 113
!
route-map SDM_RMAP_9 permit 1
match ip address 114
!
route-map RMAP-NAT permit 10
match ip address NAT_ACL
!
!
snmp-server community public RO
snmp-server community ourCommStr RW
snmp-server location Tampa, Florida, USA
snmp-server contact MIS IT Services x1000
snmp-server enable traps snmp linkdown linkup coldstart
snmp-server host 192.168.10.28 version 2c ourCommStr
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
privilege level 15
password 7 02160B5E520F020D494F5D4A
transport input telnet ssh
!
scheduler allocate 20000 1000
ntp logging
ntp master
ntp update-calendar
ntp server 64.113.32.5 source GigabitEthernet0/0
ntp server 24.56.178.140 source GigabitEthernet0/0
ntp server 12.10.191.151 source GigabitEthernet0/0
ntp server 96.226.123.157 source GigabitEthernet0/0
ntp server 129.6.15.30 prefer source GigabitEthernet0/0
ntp server 64.239.96.53 source GigabitEthernet0/0
end
07-12-2013 01:39 AM
Hi,
Have you verified that you have connection to the other device? Can you ping the other peer ip address without problem? On 2911 I don't see any ACL explicitly opening port 500. Is there any device doing NAT between this 2911 and SA540? If yes then you need to open 4500. I am not familiar with the SA540, so I can't help you much on that side. Also, can you try adding hash attribute on the policy above? I know the default on 2900 is sha1 and maybe that's why it's not showing up on the running config but I just want to be sure that it's not md5.
HTH,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide